Why govt’s proposed rules for prepaid instruments may hurt e-wallets

The government on Wednesday released draft guidelines for digital wallet companies as part of its efforts to promote electronic payments, ensure security of transactions and strengthen grievance redressal for consumers.

The draft Information Technology (Security of Prepaid Payment Instruments) Rules 2017 mandate, among other things, that digital wallets adopt multiple-factor authentication when a customer initiates payment. That could prove to be a blow for mobile wallets, which often highlight seamless transactions as one of the biggest advantages over traditional credit and debit cards.

However, the government may exempt electronic pre-payment instrument (e-PPI) issuers from multiple-factor authentication in specific cases depending on the amount, nature of transaction, risk involved, etc. Notably, small-value card transactions are exempted from multiple-factor authentication, according to the Reserve Bank of India rules, and digital wallets could enjoy get a similar exemption.

Besides, the draft rules make it mandatory for e-PPI issuers to develop and implement an information security policy for their payment systems.

All wallets also need to display on their website and mobile app the privacy policy and the terms and conditions “in simple language, capable of being understood by a reasonable person”. The privacy policy should include: information collected directly from the customer and information collected otherwise; uses of the information; period of retention of information; purposes for which information can be disclosed and the recipients; sharing of information with law enforcement agencies; security practices and procedures; name and contact details of the grievance redressal officer along with the mechanism; and any other details specified by the government.

Every e-PPI issuer will have to carry out risk assessment regarding the security of its payment systems. Besides, wallets will have to review the security measures at least once a year, and after any major security incident or breach.

Wallets will also have to contractually require merchants handling any authentication data to have security measures in place to “protect the security, confidentiality and integrity of personal information”.

“There should be a mechanism for monitoring, handling, and follow-up of cyber incidents, cybersecurity incidents and cybersecurity breaches. CERT-In shall notify the categories of incidents and breaches that are required to be reported to it mandatorily. CERT-In may require wallets to notify customers of cyber security incidents or breaches if the incident or breach is likely to result in harm to the customers,” the draft said.

Following the government’s demonetisation move in November, digital wallet transactions have hit an all-time high. M-wallets saw as many as 213 million transactions in December compared to November’s 138 million, an increase of 54%. The December numbers seem even more stellar in the light of the fact that the November figure was almost 40% higher than the previous month’s. In value terms, m-wallets clocked a mammoth Rs 7,448 crore in December, up from November’s Rs 3,305 crore. However, there are no standardised security terms for e-wallet companies at present.

The draft guidelines are open for public consultation, and suggestions will be accepted till March 20.